Return to: U of M Home

What's Inside

Related Links

1-HELP

System Status

Security Tips for Configuring Wireless Networks for Workgroups/Conferences

What's the problem with wireless network security? There seems to be a lot of security built-in...

  • The obvious difference between wired and wireless is that the signals are available in the air to anyone, rather than being limited to a wire. The signal is also broadcast far greater distances than the work environment (someone in a car or a coffee house near the University may be able to listen-in).
  • What appear to be very good security measures are really just 'speed bumps' that deter but no one measure protects sufficiently.
  • Many people do not use the security options that do exist ("it works out of the box" is a common advertisement).
  • IP and Mac addresses can readily be 'spoofed' or faked.
  • WEP encryption has been shown to be weak.  Always use WPA or WPA2 encryption.
  • The default (out of the box) parameters are well-known for each brand. For example, the configuration parameters (including security settings) can be changed by anyone using the default password.

Tips to improve security on wireless networks for workgroups and conferences

  • Responsibility: Define a technical/security contact for the new network you are creating when you plug in an access point. Call your campus help desk (Twin Cities campus is (612) 301-4357 for 1-HELP) to report the contact person's name and phone number.
  • Change default settings: Change the default ESSID (Extended Service Set Identifier) which is the name of the new wireless network you are creating. Change the default base station password, snmp password, etc.
  • If configuring a workgroup network, use WPA2 encryption if available.
  • Limit the signal range: Move access points to the center of a building. Signals can propagate through glass windows for several hundred feet (from East Bank to West Bank). Some access points have parameters that can also be set to reduce the range.
  • Use private networks: Turn off the broadcast functions that broadcasts your network name to anyone within range. The clients will need to know the network name and password to connect (better security).
  • Use IP and Mac addresses to limit the network to known clients. They can be 'spoofed' but are much better than a completely open network.
  • Often times, if you are better than the next person that is good enough. Unless there is some reason you are targeted, a series of speed-bumps (as in the above) is a lot better than nothing.
  • See OIT Wireless Access Point Technical Standards at http://www.umn.edu/wireless/standards.html and OIT Wireless Networking at http://www.umn.edu/wireless/index.html for more information.

Please send us an e-mail with your comments and questions.